The rise of cyber insurance: Reforming war and terrorism exclusions

A version of this article by Group Chief Executive and Managing Director, Manoj Kumar was first published in the February/March edition of FA News.

With the rapid digitisation of industries and markets across the world, businesses are left with a choice between joining what some are calling the ‘fourth industrial revolution’ or falling behind. The insurance industry is no exception and the swift global technological developments over the last decade have meant customers and clients increasingly expect quicker and higher-quality services from insurers.

Artificial intelligence, in particular, is playing an important role in disrupting industries worldwide, through innovating processes and services. In the Middle East, the annual increase in the contribution of AI to GDP is predicted to be between 20% and 34% per year. In the UAE alone, AI is expected to contribute to close to 14% of economic growth by 2030, the largest contribution of any country in the region. This is unsurprising given the nation is  in the Global Innovation Index 2022, which ranks the world economies according to their innovation capabilities.

The insurance industry has traditionally been regarded as slow to accept innovative technologies. However, the impact of the pandemic coupled with the growing competition of the market has led to the industry now modernising at a rapid pace. The swift adoption of AI technologies has helped insurance firms with issuing payments for customers, fraud detection, customer service and pricing through automation and machine algorithms.  As a result, we have seen the rise of insurtech firms in recent years in the Middle East, combining advances in technology with knowledge of the insurance industry to help insurance businesses become more successful. In 2019 alone, $26 million was invested in MENA-based insurtech startups. Furthermore, according to the Capgemini World Insurtech Report 2020, 67% of UAE-based insurers would like to collaborate with insurtechs, and 85% are keen to work with techno providers. In addition, 60% of traditional insurers are keen to work with large-scale technology solutions.  With yearly events such as InsureTek, the Middle East’s largest insurance technology gathering, growing in attention globally, this region is on its way to becoming a hub for insurtech.

The development of this sector in the Middle East is reliant not only on businesses but on governments and central banks. In 2021, the UAE Central Bank implemented an insurance regulatory ‘sandbox’, to help refine the regulatory framework for more experimental products and services within the insurance industry and encourage innovation. Policies such as these combined with the growing use of insurtech services by traditional insurers in the UAE have played a significant role in disrupting the sector. Through adopting these new technologies, insurtech firms are freeing insurers from the limitations of their old systems and allowing them to fill the gaps that the traditional insurance market has found challenging to fill.

This has contributed to the rise of innovative insurance products, most notably parametric insurance, where compensation is provided when an event occurs instead of a loss experience, and the details of the parameters are decided upon before the cover starts.  One of the most important technological developments within the sector that is helping the rapid growth of parametric insurance is Blockchain.

Blockchain technology makes the insurance claim handling process easier through smart contracts and software programmes that automatically implement the agreement terms when the previously agreed conditions are met. This removes the requirement for damage assessments which are costly and timely to undertake. These computer automated contracts can therefore maximise efficiency and value for the consumer, particularly when pre-agreed parameters have been exceeded, such as a fire or hurricane of a certain size.  Governments in the Middle East are now looking to this technology more and more to maximise their business processes.

The UAE Government, for example, launched the Emirates Blockchain Strategy 2021, which aimed to transform 50% of government transactions into the blockchain platform. This built upon the 2018 Future Blockchain Summit, the first and largest blockchain event in the Middle East, which included insurtech startups, insurers and investors. In addition, Saudi Arabia has incorporated blockchain technology into its 2030 vision to reduce the country’s dependence on oil and focus on the financial services sector. 

The growing popularity of Blockchain has been coupled with the rise of the Internet of Things (IoT). Essentially, the transfer of data between multiple deices over the internet. Whilst in 2021 there were 12.5 billion devices connected to a network globally, by 2025 there will be over 50 billion. The effect of IoT on the insurance industry has the potential to be huge. This technology allows brokers to know what is happening to their insured assets in real time through maximising the flow of data to insurers. When it comes to parametric insurance, IoT allows insurance companies to give out claims instantly due to the information gathered from the devices. 

In the Middle East, IoT connects 300 million devices. Dubai has aimed to exploit this through its IoT Strategy, which sets out plans to build the most advanced IoT ecosystem, to become the smartest city in the world. Moreover, data centres for cloud service providers in the UAE have been increasing in quantity.

For example, IBM have launched multiple data centres, participating in the UAE’s smart transformation, and aim to form a 100% paperless government. Actions such as these taken by companies and governments in the Middle East on IoT will help shape the impact of this technology on a variety of sectors, including the insurance industry. 

With the rise of technologies such as AI, Blockchain and IoT, it’s a very exciting time to be in the insurance industry in the Middle East, particularly in the UAE, where it’s looking like insurtech is likely to boom.  In the next five years, these kind of innovations will continue to increase and lead to more disruption within the insurance industry in this region. The success of insurtech will be down to the government of the country and insurance businesses themselves. The most successful countries will be those with governments that not only accept these technological changes but support this kind of innovation. The businesses who will benefit most will be those that are adaptable and keen to integrate some of these technologies into their processes, refusing to get left behind in this rapidly changing market.

In a world where businesses are becoming far more reliant on digital platforms, the threat and impact of cyber attacks is far greater now than it ever has been before. Cyber security breaches can lead to huge damage for businesses, ranging from lost revenue and disruption to litigations and the costs that come with this.

In recent times, the number of cyber attacks in South Africa has been increasing, and the country is now sixth in the world for cybercrime density. Moreover, South Africa has reported the highest year-on-year increase in cyber attacks, with a rise of over 200% in cyber security breaches since 2019. There are various reasons behind this, but the main drivers are limited investment in cyber security and a lack of cybercrime legislation in South Africa, making the country an attractive target for hackers.

This rise has gone hand in hand with the growth of cyber insurance, helping companies recover from losses caused by attacks such as malware, ransomware or hacking as well as increasingly covering the reputational and financial costs resulting from these breaches. On a global scale, the cyber insurance market is expected to increase from 145 billion ZAR to 520 billion ZAR by 2025. Furthermore, according to market research, the South African cyber insurance market is expected to see growth of 45.5% during the period 2019 to 2025.

Whilst cyber insurance has seen rapid growth in South Africa, the market is having to adapt to the changing nature of the threat. A key problem that has arisen is when war or terrorism are behind the attacks. The increasing use of technology in warfare has blurred the lines on when war and terrorism exclusions apply, leading to difficult decisions about how much customers can rely on their cover.

The most famous example of this is the global NotPeya attack, a cyber attack which affected thousands of businesses and companies across the globe. Originally starting in Ukraine, the cyber attack rapidly spread across Europe and into Africa in just 24 hours after the original infection. This attack resulted in huge financial loses for over 2000 organisations, costing them more than $1.2 billion. The Russian military were blamed for the attack by the UK and US Governments. Issues therefore arose when businesses tried to claim for their losses under their cyber coverage policies. In response, their insurers rejected their claims as a result of the war and terrorism exclusions, leading to a legal battle, costing businesses time and money. This has therefore led to questions being asked about what kind of attack would actually be covered and how the market can adapt its offer to ensure customers get the cyber insurance they need.

Some interesting solutions have been put forward to start to tackle these issues. In Autumn 2020, the Carnegie Endowment for International Peace, released a paper which included proposals to scrap traditional war and terrorism exclusions. Instead, exclusions could be based around geography, focusing on which areas has kinetic warfare taken place, meaning the cyber losses in only these areas could be removed from coverage, independent of who the aggressor is.

Moreover, at the end of 2021, Lloyd’s published four new cyber war exclusion clauses, all of which contained the provision that the main factor in determining if another state is responsible for the cyber attack “shall be whether the government of the state in which the computer system affected by the cyber operation is physically located, attributes the cyber operation to another state”, meaning the insurer would need written confirmation from a public body to confirm that the cyber attack is connected to another nation’s government.

As geopolitical tensions continue to rise and different regions become more digitally connected and reliant on each other, cyber warfare attacks are only set to increase, greatly affecting countries like South Africa where cyber security technology is still developing. Whilst solutions to the issue of war and terrorism exclusions in cyber insurance have begun to be discussed, there is still more work to do within the sector to address these issues. Insurers, regulators and the South African Government will need to work together to agree upon how to reform these exclusions and the impact this will have on South African businesses if they are ever faced with a cyber attack.